samba - May 2010 - ARGH... once again samba causes "permission" errors. SOLVED

Ok, I was able to fix both of my problems and they are both related
to SELinux problems

First: I am assuming that you are like me and that you have an excellent
background in systems administration (I teach it at a university for a
living.) So you've configured chmod permissions and chown user and
group ownerships on directories and files to correctly allow the desired
access. You have configured samba to force a reasonable user or group
or you have logged in with reasonable user credentials.

But you're still not able to create file/folder or maybe you can't map
certain paths. You've probably been frustrated by the endless
posts and suggestions telling you to fix the fundamental things described
in the previous paragraph.

If you have taken care of the fundamental permission items but\
you are seeing either of the following:
    A) You can map a share but whenever you try to create a new
         folder or file windows pops up an error dialog (Try again).
    B) You can map certain paths but now others (particularly a path
         equivalent to a mount point (XFS/Raid5 filesystem in my case.

Well, I'm running CentOS 5.5 and it has SELinux enabled by default
but the context on the share path is probably not allowing samba.

you can check the context of the path with the -Z switch ls:

[root at nas samba]# ls -ldZ /mnt
drwxr-xr-x  root root system_u:object_r:mnt_t          /mnt

In this case the context is "mnt_t", you need to change the
context to samba_share_t

[root at nas samba]# chcon -t samba_share_t /mnt/nas
[root at nas samba]# ls -adZ /mnt/nas
drwxr-x---  nas nas system_u:object_r:samba_share_t  /mnt/nas

Now your share should both mount and allow the creation/deletion
of folders/files.

Warning: I am old, I learned system administration and practiced
it for a decade in industry before SELinux was even invented. I do
not pretend to begin to understand this [possibly overly] complicated
security system.


- Jeff

On Sun, May 30, 2010 at 06:24:49PM -0700, Jeff Wiegley
wrote:
> Ok, I was able to fix both of my problems and they are both related
> to SELinux problems
> 
> First: I am assuming that you are like me and that you have an excellent
> background in systems administration (I teach it at a university for a
> living.) So you've configured chmod permissions and chown user and
> group ownerships on directories and files to correctly allow the desired
> access. You have configured samba to force a reasonable user or group
> or you have logged in with reasonable user credentials.
> 
> But you're still not able to create file/folder or maybe you can't
map
> certain paths. You've probably been frustrated by the endless
> posts and suggestions telling you to fix the fundamental things described
> in the previous paragraph.
> 
> If you have taken care of the fundamental permission items but\
> you are seeing either of the following:
>    A) You can map a share but whenever you try to create a new
>         folder or file windows pops up an error dialog (Try again).
>    B) You can map certain paths but now others (particularly a path
>         equivalent to a mount point (XFS/Raid5 filesystem in my case.
> 
> Well, I'm running CentOS 5.5 and it has SELinux enabled by default
> but the context on the share path is probably not allowing samba.
> 
> you can check the context of the path with the -Z switch ls:
> 
> [root at nas samba]# ls -ldZ /mnt
> drwxr-xr-x  root root system_u:object_r:mnt_t          /mnt
> 
> In this case the context is "mnt_t", you need to change the
> context to samba_share_t
> 
> [root at nas samba]# chcon -t samba_share_t /mnt/nas
> [root at nas samba]# ls -adZ /mnt/nas
> drwxr-x---  nas nas system_u:object_r:samba_share_t  /mnt/nas
> 
> Now your share should both mount and allow the creation/deletion
> of folders/files.
> 
> Warning: I am old, I learned system administration and practiced
> it for a decade in industry before SELinux was even invented. I do
> not pretend to begin to understand this [possibly overly] complicated
> security system.
	... make this permanent:
semanage fcontext -a -t samba_share_t /mnt/nas
Regards
								Adam Przybyla